-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 29 Oct 2022 18:34:02 CEST Source: tomcat9 Architecture: source Version: 9.0.43-2~deb11u4 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: 7703abc9efa1d08a67cf47740e448d5a08dfc47c 2906 tomcat9_9.0.43-2~deb11u4.dsc 9f1801599dc7d1bcb46c4774b975ef7a9a00e70b 42928 tomcat9_9.0.43-2~deb11u4.debian.tar.xz 3da251e7d174929d41b164c92dde2713993d62be 14498 tomcat9_9.0.43-2~deb11u4_amd64.buildinfo Checksums-Sha256: 15bea427541848618dec25a13c95d97d78503bd15f3884c7b6f5f1e59b1eca24 2906 tomcat9_9.0.43-2~deb11u4.dsc 1b88aaabeccedcea5e2999cca72c4a54b39074aba6233e2bbed0d0b7a3e35641 42928 tomcat9_9.0.43-2~deb11u4.debian.tar.xz 1dcd8c790ba6ba1b98fe068f40fe3976c9312fba5fd681f57c2034dc0de7f48a 14498 tomcat9_9.0.43-2~deb11u4_amd64.buildinfo Changes: tomcat9 (9.0.43-2~deb11u4) bullseye-security; urgency=high . * Team upload. * Fix CVE-2021-43980: The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. * Fix CVE-2022-23181: The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. * Fix CVE-2022-29885: The documentation of Apache Tomcat for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. Files: 9ec5366aca1444ccaedae67d4e02f8ca 2906 java optional tomcat9_9.0.43-2~deb11u4.dsc c18a104200c86e53194a610312a7017a 42928 java optional tomcat9_9.0.43-2~deb11u4.debian.tar.xz d7de40ba8ade64216326af72aa248c68 14498 java optional tomcat9_9.0.43-2~deb11u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNdVlxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkBuIP/1DM+oSmkvR6OY3zP/f1/C2ZUEUd7ZgMMZ21 D/zh9qIgBXg8cEf4WOlRP6sTW2jYl5JwwhmWCK5084q2qR4bPEISrbRq+d1qo3az sARl7XADbcFhPInLdr9mT7xub51eXCplo65HIiO388TlO0cCmF03iKekW5v9NWmq nY9IxJwnVVDjSn1p55Ol5+pEbeDQyiFn5EHKSEsWd+uvftr1kXkbZHI0L07JuMdf nU6Vrnub4MC/wVzEPIQkT9ic85WiwB3O96wtaIg4rvSaZKLZXVC2c0W6Tpu1Ihxh R9E4ttsKHd8b1yU5R+efVjXCgy1HhqnmK7KIxk7X401SzeQoqV80NPby5MP9rKlp CnSGmz8XafFJgXEPzmBavfwD+IkiqYvMDqGkH5pnau2ssM6Ik0joHv2QCR7uWReD orQCfBz7B1IwdnAVUnn4o4bQjXdLQfd2q8duB2sUX26p9jMnxfuM+MLUQ6yK+5Zk xdeoQhgf64wIUht4YvexrWpjiD37cACpUn0zfMqVoJa92l4W9uXJGApdXFwmlWD5 CkQYn03cnJs8Y36P4qFjPnUSvPF3P6mJukSOXuh4pL9OeQhSNwgpnUIJktaEk7Gx 8+IJMX4sVmXyYLdedlJNGXhSRGQvrwmJQ1b+4WdfMtLOV9/HdvZS2aE52V7xhCY4 sf25j1+q =OmHG -----END PGP SIGNATURE-----